postfix config for outgoing smarthost with TLS authentication
this is a short how-to, to get your postfix mailserver to send outgoing mail via a smarthost that requires TLS authenticatin:
create a password file with the following contents:
echo "mail.server.com username:password" > /etc/postfix/smarthost_password chmod 600 /etc/postfix/smarthost_password postmap /etc/postfix/smarthost_password
edit main.cf
nano /etc/postfix/main.cf
and add / modify these lines:
relayhost = mail.w3design.ch:587 smtp_use_tls=yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/smarthost_password smtp_sasl_security_options = noanonymous smtp_tls_security_level = encrypt
also make sure you're not creating an open realy server for everybody to use. for example limit your accetpable mail networks to localhost only is a good starting point (in main.cf as well):
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
make sure the necessary encryption libraries are installed
apt install libsasl2-modules
now check your neew config and reload it:
postfix check postfix reload
montior your mail logs and send a test message to see what happens:
tail -f /var/log/mail.*
in another terminal:
echo "this is a test " | mail mail@psuter.ch -s test
rewrite from-addresses
in many cases, the sender domain of such a system is an internal domain and will be rejected by many spam filters. for that reason it may be necessary to rewrite the from address to an actual valid email address
to do that we can use sender_canonical_maps on postfix. Add the following line to /etc/postfix/main.cf:
sender_canonical_maps = hash:/etc/postfix/canonical
and create a map in /etc/postfix/canonical that looks something like this:
@myserver.local valid@email.address
instead of @myserver.local which will basically rewrite any local email address, we can also use a username like root if that better suits our needs.
finally use postmap to create the hash map and reload the config once more:
postmap /etc/postfix/canonical postfix check postfix reload